1. Field of Invention
The present invention relates to novel techniques, methods, and apparatus for protecting RFID tags from power analysis or from cryptanalytic attacks based on power analysis such as SPA or DPA when they are communicating with a tag reader.
2. Prior Art
Once considered merely as an upgrade to the humble optical barcode, passive RFID tags have been recently making gains both in their capabilities and in their planned applications. The regulatory bodies behind the tag standards are aware of security and privacy issues and have been urging tag makers to make their tags as secure as possible. There are even indications that RFID tags will soon implement full-fledged cryptographic functionality. A secure tag can enhance the privacy of consumers purchasing RFID-equipped products and the security of retailers using RFID technology, who need to know that tags are not tampered with. This is especially the case when discussing RFID-enabled passports, which are currently planned for several countries. The threat model under which RFID tags are designed to be secure is based on an adversary who is able to listen to communications between tag and reader but does not have physical access to the tag. Security countermeasures such as cover coding and even secret key encryption have been planned and deployed to address this scenario.
An RFID system consists of a high-powered reader communicating with an inexpensive tag using a wireless medium. The reader generates a powerful electromagnetic field around itself and the tag responds to this field. In passive systems, placing a tag inside the reader's field also provides it with the power it needs to operate.
It was recently discovered by Oren and Shamir that it is possible to launch an attack on RFID tags which can be called a parasitic backscatter attack. Such an attack is basically a power analysis attack in that it measures the power consumed by a tag, but it is unique in that it does not require either tag or reader to be physically touched by the attacker. By making use of the fact that the tag is powered from the air, one is able to measure the tag's power consumption unintrusively and at a distance. The power analysis can be carried out even if both the tag and the attacker are passive and transmit no data, making the attack very hard to detect. The attack is effective on UHF tags and can also be adapted to HF tags, which typically use magnetic rather than electromagnetic coupling with the reader.
An operating UHF reader surrounds itself with a powerful electromagnetic field. Placing a tag in the reader's field causes a current to flow through the tag's dipole antenna. Since the dipole now has a variable electrical current flowing through it, it generates a Backscatter from Tag to Reader because the reader-tag channel and its equivalent circuit generate an electromagnetic field of its own. The strength of this field is a function of the current flowing through the dipole antenna, which is in turn a function of the power consumption of the tag.
It is worth noting that the tag intentionally modulates the backscatter radiation typically by means of a switched impedance connected in parallel to the tag circuit. This allows the tag to transmit data back to the reader through a mechanism called backscatter modulation. As has been recently determined by Oren and Shamir, the tag also unintentionally modulates the backscatter radiation in a measurable way via its internal computations. The tag's intentional modulation does not disturb an attacker's measurements of its unintentional modulation because the tag and reader operate in a half-duplex line regime, meaning that the tag does not transmit data while the reader is sending it commands.
Protocols define how tags and readers should communicate and what data a tag should store. One such protocol specifies a 96-bit ID to each tag, as well as an 8-bit kill password which can be concealed from unauthorized readers. Sending a tag a kill command with the appropriate kill password disables it permanently. However, this protocol is not without its problems. The protocol made it difficult to program and read a large number of tags simultaneously, and most notably it had a phantom read problem—tags are validated only by a 16-bit CRC value, so with probability 2−16 a reader receiving random noise will report seeing a tag even if none are present.
Another protocol has a better-designed air interface, as well as more strictly defining the contents and capabilities of tags. This protocol increases the amount of data which can be stored on the tag from 128 bits to 2048 bits, and replaces the 8-bit kill password with a pair of 32-bit passwords: the kill password and the access password.
Since the reader has a higher transmit strength than the tag, it makes sense to protect against adversaries who can detect the reader's signal but not the tag's backscatter. Tags use cover coding to add this protection. Under this scheme, the tag sends a pseudorandom sequence to the reader, and the reader XORs the kill password with this sequence. An adversary, who can intercept only the reader's powerful signal, and not the tag's weak response, cannot learn the actual data exchanged between the reader and the tag. To meet the tag's limited memory and power constraints, the tag only remembers 16 pseudorandom bits at a time, requiring two rounds to go through the whole 32 bit password. Although the cover coding slightly complicates a power analysis attack, it does not prevent it.
In U.S. Pat. No. 6,507,913, a method and apparatus to protect smart cards from power analysis is described. Whereas, the attack problem concerning smart cards is similar broadly with protecting RFIDs, the double buffering protection mechanism described there is much more suitable for RFID tags than for smart cards, for reasons which will be explained shortly.